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Description 

BACKGROUND 
Field of the Invention 

[0001] This invention relates to Public Key Infrastruc- 
tures (PKI), and more specifically to secure legacy en- 
claves in a PKI. 

Background Information 

[0002] A public key infrastructure (PKI) is a collection 
of servers and software that enables an organization, 
company, or enterprise to distribute and manage thou- 
sands of unique public/private cryptographic keys in a 
mannerthat allows users to reliably determine the identity 
of the owner of each public/private key pair. When each 
member of an enterprise has a unique key, paper-based 
business processes may be transitioned to an online, 
electronic equivalent. Public/private key pairs have the 
property that for any given public key there exists one 
and only one private key, and vice versa. Public key cryp- 
tography (i.e., the ability to publicly distribute the encryp- 
tion key) can be used to digitally sign documents. If a 
particular message can be decrypted using one member 
of the key pair, then the assumption is that the message 
must have been encrypted using the other member. If 
only one person knows the key used to perform the en- 
cryption of a document in the first place, then the recip- 
ients that can decrypt the document can be sure that the 
sender of the document must be that person. 
[0003] However, for a digital signature to be meaning- 
ful, the recipient of an object signed with the digital sig- 
nature must first be able to reliably determine the owner 
and integrity of the key used to sign the object. Public 
infrastructures accomplish this using an electronic doc- 
ument called a digital certificate. Certificates may contain 
information identifying the owner of the key pair, the pub- 
lic component of the pair, and the period of time for which 
the certificate is valid. The certificate may also identify 
technical information about the key itself, such as the 
algorithm used to generate the key, and the key length. 
Certificates are generated by organizations, companies, 
or enterprises that are responsible for verifying the iden- 
tity of individuals (or in some instances organizations) to 
which certificates are issued. The certifying organization 
is known as a certificate authority. The certificate author- 
ity signs each certificate using a private key known only 
to the certificate authority itself. This allows users of the 
PKI to verify both the integrity of the certificate and the 
identity of the authority that issued it. By issuing a certif- 
icate, a certificate authority is stating that it has verified 
that the public key that appears in the certificate (and, by 
extension, the corresponding private key) belongs to the 
individual listed in the certificate. The integrity with which 
the registration process operates is, therefore, of great 
importance. The process must provide mechanisms for 



reliably identifying the individual and for verifying that the 
public key listed in the certificate belongs to that individ- 
ual. 

[0004] Fig. 1 shows a block diagram of an example 

s PK! system architecture. Current PKIs that provide strong 
authentication of user identity accomplish this via the use 
of a local registration authority officer (LRAO) 12. LRAO 
12 operates at a work station or server platform 14 that 
runs a local registration authority software application 1 6. 

10 Server platform 1 4 may be any known computing device 
that may serve as a server, e.g., computer, workstation, 
etc. The local registration authority application 16 inter- 
faces to other server platforms that may contain applica- 
tions such as a certificate authority application 1 8, a reg- 

15 istration authority application 20, and/or a key recovery 
authority application 22. Each application may be on the 
same server platform, or on separate individual server 
platforms 14. A user 10, that is using or desires access 
to the PKI system architecture, accesses the system via 

20 a web browser 22 on a client platform 24. A hardware 
token 26, such as a smart card, may also be operably 
connectable to client platform 24. Typically in current sys- 
tems, user 10 presents a photo I.D. to the local registra- 
tion authority officer 1 2 in order to authenticate the user's 

25 identity. Local registration authority officer 12 then uses 
workstation 1 4 and local registration authority application 
16 to signal a registration authority application 20 to reg- 
ister new-user 1 0 in the system. Local registration au- 
thority application 16 may be off-the-shelf product soft- 

30 ware that comes typically bundled with a certificate au- 
thority application 18, registration authority application 
20, and key recovery authority 22 software. 
[0005] A public/private key pair is generated by either 
the local registration authority application 16 or the reg- 

35 istration authority application 20 (depending on products 
chosen and depending on how they've been configured). 
The public key is sent to certificate authority application 
1 8 to be signed, thereby, generating a certificate for new 
user 10. A backup copy of the private key may also be 

^o sent to key recovery authority application 22, however, 
normally the private key is kept on a token 26, or at client 
platform 24 by user 10. Once the public key is sent to a 
certificate authority 18 and signed, a user certificate is 
generated and provided to a local registration authority 

45 server. Local registration authority officer 1 2 copies the 
certificate (including the private key) onto a floppy disk, 
hardware token, or other storage medium, and then pro- 
vides the certificate and private key to the user. 
[0006] Current PKI systems that integrate legacy ap- 
se plications into the system modify software in a legacy 
application 30 resident on a legacy server 32. The mod- 
ifications are performed by a legacy developer 34 who 
modifies the software within the legacy application by 
modifying the source code and recompiling the applica- 

55 tion. The software modifications allow the legacy appli- 
cation to work with signature certificates. Modifying the 
software within the legacy application is usually very ex- 
pensive. 
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[0007] In current systems a user may attempt to ac- 
cess a legacy application 30 on legacy server 32 from a 
client's platform 24. Such a system can be seen in US- 
A-5 754 830. Before access to the legacy server is grant- 
ed, the user must present the user's signature certificate 
to the legacy application (since the legacy application 
has been modified so that a certificate from the user is 
required). Depending on an access control list configured 
in the legacy application, the legacy application will either 
grant or deny access to the user based on the user's 
signature certificate. Legacy applications and servers 
typically employ proprietary computer interfaces and 
custom software clients. These interfaces and clients typ- 
ically rely on a simple user ID and password scheme to 
authenticate the identity of a user. However, as noted 
previously, making significant modifications to these in- 
terfaces and clients to work with signature certificates is 
generally very expensive. 

[0008] Therefore, a need exists for a system and meth- 
od for integrating legacy systems into a modern PKl- 
based authentication system without requiring expensive 
modifications to the legacy software. 

SUMMARY 

[0009] The present invention is directed to a system 
for secure legacy enclaves in a Public Key Infrastructure 
(PKI) that includes one or more legacy servers, one or 
more client platforms, one or more directories, and a Vir- 
tual Private Network (VPN) extranet gateway. The legacy 
servers contain one or more legacy applications and may 
be connected to a first network. The client platforms are 
connected to a second network. The client platforms con- 
tain legacy client software employable by users to access 
the legacy applications. The directories are connected 
to the second network and contain information on the 
users. The directories also contain information on each 
user designating whether the user is authorized to access 
the legacy servers. The VPN extranet gateway is con- 
nected between the legacy servers and the second net- 
work. The VPN extranet gateway requests a signature 
certificate of each user attempting access to a legacy 
application to authenticate the user. The VPN extranet 
gateway queries the directory to confirm the user is al- 
lowed access to the legacy server after authenticating 
the user. The VPN extranet gateway establishes a con- 
nection between the legacy client software and the leg- 
acy application if the user is allowed access to the legacy 
server. 

[0010] The present invention is further directed to a 
method for secure legacy enclaves in a PKI that includes: 
installing a VPN extranet gateway between one or more 
legacy servers and a legacy client platform; attempting 
access to a legacy application on a legacy server by a 
user employing legacy client software on the legacy client 
platform; requesting a signature certificate of the user by 
the VPN extranet gateway to authenticate the user; que- 
rying a directory by the VPN extranet gateway after au- 



thenticating the userto confirm the user is allowed access 
to the legacy server; and establishing a connection be- 
tween the legacy client software and the legacy applica- 
tion if the user is allowed access to the legacy server. 
s [001 1] The present invention is also directed to an ar- 
ticle comprising a storage medium having instructions 
stored therein, where the instructions when executed 
cause a processing device to perform: receiving an at- 
tempt to access a legacy application on a legacy server 
10 from a user employing legacy client software; requesting 
a signature certificate of the user to authenticate the user; 
querying a directory to confirm the user is allowed access 
to the legacy server after authenticating the user; and 
establishing a connection between the legacy client soft- 
's ware and the legacy application if the user is allowed 
access to the legacy server. 

BRIEF DESCRIPTION OF THE DRAWINGS 

20 [0012] The present invention is further described in the 
detailed description which follows in reference to the not- 
ed plurality of drawings by way of non-limiting examples 
of embodiments of the present invention in which like 
reference numerals represent similar parts throughout 

25 the several views of the drawings and wherein: 

[0013] Fig. 1 is a block diagram of an example PKI 
system architecture; 

[0014] Fig. 2 is a block diagram of an exemplary sys- 
tem architecture in which PKI processes may be prac- 
30 ticed according to an example embodiment of the present 
invention; and 

[001 5] Fig. 3 is a flowchart of an example process for 
secure legacy enclaves in a public key infrastructure ac- 
cording to an example embodiment of the present inven- 
35 tion. 

DETAILED DESCRIPTION 

[001 6] The particulars shown herein are by way of ex- 
ample and for purposes of illustrative discussion of the 
embodiments of the present invention. The description 
taken with the drawings make it apparent to those skilled 
in the art how the present invention may be embodied in 
practice. 

45 [0017] Further, arrangements may be shown in block 
diagram form in order to avoid obscuring the invention, 
and also in view of the fact that specifics with respect to 
implementation of such block diagram arrangements is 
highly dependent upon the platform within which the 

50 present invention is to be implemented, i.e., specifics 
should be well within purview of one skilled in the art. 
Where specific details (e.g., circuits, flowcharts) are set 
forth in order to describe example embodiments of the 
invention, it should be apparent to one skilled in the art 

55 that the invention can be practiced without these specific 
details. Finally, it should be apparent that any combina- 
tion of hard-wired circuitry and software instructions can 
be used to implement embodiments of the present inven- 
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tion, i.e., the present invention is not limited to any specific 
combination of hardware circuitry and software instruc- 
tions. 

[0018] Although example embodiments of the present 
invention may be described using an example system 
block diagram in an example host unit environment, prac- 
tice of the invention is not limited thereto, i.e., the inven- 
tion may be able to be practiced with other types of sys- 
tems, and in other types of environments (e.g., servers). 
[0019] Reference in the specification to "one embodi- 
ment" or "an embodiment" means that a particular fea- 
ture, structure, or characteristic described in connection 
with the embodiment is included in at least one embod- 
iment of the invention. The appearances of the phrase 
"in one embodiment" in various places in the specification 
are not necessarily all referring to the same embodiment. 
[0020] Fig. 2 shows a block diagram of an exemplary 
system architecture 100 in which Public Key Infrastruc- 
ture (PKI) processes may be practiced according to an 
example embodiment of the present invention. The 
present invention is not limited to the system architecture 
100 shown in Fig. 2. The boxes shown in Fig. 2 represent 
entities that may be hardware, software, or a combination 
of the two. The entities are operably connected together 
on a network. Entities not shown as being connected to 
the network represent one or more human beings that 
perform the function denoted inside the box. 
[0021] System architecture 100 includes Data Entry 
102 which performs a data entry function for Authoritative 
Database 104. Authoritative Database 104 is resident on 
server platform 106. A server platform 106 is referred to 
in this description but it should be understood that the 
present invention is not limited to any particular server 
architecture. Server platform 106 may be, for example, 
UNIX or Windows NT servers. 

[0022] Authoritative database 104 contains informa- 
tion about members of the group or enterprise (e.g. , com- 
pany) for which PKI services in accordance with the 
present invention may be performed. The present inven- 
tion is not limited by the structure of the group or enter- 
prise for which information is stored in the authoritative 
database 1 04. The information contained in Authoritative 
database 104 may include, for example, the name, ad- 
dress, telephone numbers, manager's name, employee 
identification, etc. , of the members of the group or enter- 
prise. Directory 108 contains the same information con- 
tained in database 104, but is optimized for fast look-up 
of the information stored therein rather than fast data 
entry. The information contained in Directory 108 may 
be accessed faster than accessing the information from 
database 104. Directory 108 functions similar to an on- 
line quickly accessible phone book, containing reference 
information about the members of the group or enterprise 
stored in authoritative database 104. 
[0023] Certificate authority 110 may be conventional 
off-the shelf software executed on server platform 106. 
Certificate authority 1 10 provides storage of certificates 
and related information. This will be described in more 



detail hereinafter. Registration authority 1 1 2 may also be 
off-the shelf software executable on server platform 1 06. 
Registration authority 112 will also be described in more 
detail hereinafter. Key recovery authority 114 may also 
5 be off-the shelf server software executable on Server 
Platform 1 06, and may provide the function of recovering 
keys (e.g., archived or lost keys) for members of the 
group or enterprise. 

[0024] A Windows 2000 Domain Certificate Authority 
10 (CA) 116 is shown with a dotted line connection to the 
network and may or may not be part of a system accord- 
ing to the present invention. Windows 2000 is able to use 
PKI certificates for network single sign-on, but Windows 
2000 is designed to use only the Windows Certificate 
?s Authority Windows. Therefore, a system according to the 
present invention may include a conventional Certificate 
Authority 110 as well as a 2000 Domain CA 116. 
[0025] Legacy server 1 1 8 executes legacy application 
programs 120. Legacy server 1 18 may be, without limi- 
20 tation, a main frame, mini-computer, workstation or other 
server capable of hosting legacy software applications. 
Legacy software applications generally may not be de- 
signed to be inherently interoperable with a PKI. Legacy 
applications 120 may be accessible on the client side by 
25 a custom client 1 28 such as an emulator or custom da- 
tabase Graphic User Interface (GUI). Examples of emu- 
lators are terminal emulators of an IBM 3270 or terminal 
emulators of a vt100. 

[0026] Registration web page 1 22, which may be one 
30 or more pages, functions as the user interface to system 
architecture 100 shown in Fig. 1. Web Server 124 is a 
software application that serves Web Pages (such as 
web page 122) or other HTML outputs to a web browser 
client (such as web browser 126). Web Server 124 may 
35 be any software application that serves Web Pages or 
HTML outputs such as, for example, Apache, Microsoft 
Internet Information Server application, etc. 
[0027] Web browser 1 26 is resident on client platform 
128 which may be any user computer or computing de- 
40 vice. Web browser 1 26 may be a client software appli- 
cation for browsing web pages such as, for example, 
HTML protocols, XML protocols, or other protocols. Web 
browser 126 may be programmed to operate with PKI 
certificates issued by certificate authority 110. Examples 
45 of web browsers which have this capability include Net- 
scape Navigator and Microsoft Internet Explorer. The to- 
ken 130 may be a smart card, a device with a Universal 
Serial Bus (USB), or other hardware token device capa- 
ble of generating, storing, and/or using PKI certificates. 
so [0028] A user 1 32 is a person that uses or desires ac- 
cess to system architecture 100. User 132 may transition 
through a number of states which include, for example, 
a new user, a current user, and a former user. A former 
user is no longer a member of the group or enterprise. 
55 System architecture 100 is described with reference to 
two levels of security with each level corresponding to a 
different security requirement. The number of the levels 
of security is not a limitation of the present invention. The 
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level 1 search engine 134 may be a search engine that 
is permitted to search system architecture 100, but is 
allowed access to only level 1 data which is the lowest 
level of security. Level 1 data may be, for example, data 
which is freely distributable whereas level 2 data may be 
considered to be proprietary. A Level 2 search engine 
136 may be a search engine which is allowed to search 
both level 1 and level 2 data. A Level N search engine 
(not illustrated) may be a search engine which is allowed 
to search through servers possessing Levels 1 through 
N data. 

[0029] A secured level server with Level 1 data may 
be a web server containing only level 1 data that is se- 
cured so that users may need to have level 1 access (at 
least) to access the level 1 servers. A secured webserver 
with level 2 data 1 40 may be a web server that contains 
level 2 data that has been secured so that users must 
have at least level 2 access to access the level 2 servers. 
A user with level 2 access may have access to both level 
1 and level 2 servers. A secured web server with level N 
data (not illustrated) is a web server that contains level 
N data which is accessible by users with level N or above. 
Users with level N or above access may have access to 
all levels of data up through level N data. 
[0030] VPN Extranet 142 may be a software applica- 
tion which functions as a network gateway, which as il- 
lustrated, may be either to legacy server 1 1 8 and legacy 
application 1 20 or to an external network such as the 
Internet. Personal revocation authority 144 may be one 
or more people that are in charge of revocation of mem- 
bers from system network 100. Personal registration au- 
thority 146 may be one or more people that are in charge 
of registration of members in system network 1 00. Per- 
sonal recovery approval 1 48 may be one or more people 
that are in charge of obtaining recovery of certificates. A 
Recovery Agent 1 50 may be one or more people that 
perform recovery of certificates and may only recover a 
certificate if the certificate has first been designated as 
recoverable by another person. Personal role approval 
152 may be one or more people that approve different 
role functions within the system network 1 00. A web serv- 
er administrator may be one or more people that are in 
charge of various web functions in system network 100. 
[0031] Systems and methods for secure legacy en- 
claves according to the present invention provide the 
combined application of digital signature certificates and 
virtual private networks (VPNs) to provide a lower cost 
solution to creating secure legacy enclaves. A legacy en- 
clave may be defined as a network local area network 
(LAN) that has been segregated from the enterprise net- 
work for the purpose of isolating legacy servers and ap- 
plications. According to the present invention, legacy en- 
claves are isolated from the main network. The legacy 
enclaves are attached to and protected by VPNs that 
require digital signature validation and verification from 
users before allowing access to the servers and applica- 
tions of the legacy enclaves. 

[0032] A VPN extranet gateway accesses one or more 



directories, that contain digital signatures of users, for 
validation of a user/client attempting to access a legacy 
system. The VPN gateway effectively creates a secure 
enclave around the legacy system by placing it in a virtual 

5 network consisting only of itself (i.e., the secure legacy 
enclave). The VPN gateway allows encrypted access 
through the VPN gateway, thus, employing modem se- 
curity solutions for network-to-network (enterprise net- 
work-to-secure legacy enclave) activity. 

10 [0033] Fig. 3 shows a flowchart of an example process 
for secure legacy enclaves according to an example em- 
bodiment of the present invention. A VPN extranet gate- 
way is inserted between one or more legacy servers and 
one or more legacy client platforms S1 . The legacy serv- 

15 ers may be part of one or more legacy enclave networks. 
The client platforms may be connected to an enterprise 
network. The VPN extranet gateway may be inserted by 
an enterprise network administrator. The legacy network 
administrator may configure the VPN extranet gateway 

20 with users that are allowed to access the legacy servers 
S2. A user employs legacy client software, resident at a 
client platform, to attempt access to a legacy application 
on a legacy server S3. The VPN extranet gateway re- 
ceives the attempt from the user and requests that the 

25 user send the user's signature certificate S4. The VPN 
extranet gateway uses the user's signature certificate to 
authenticate the user, i.e. , validate that the user is indeed 
who the user says they are. The VPN gateway receives 
the user's signature certificate, authenticates the user, 

30 and queries a directory to confirm the user is allowed 
access to the legacy server S5. The directory may be a 
database that may be connected to the enterprise net- 
work. The directory contains information on all users that 
are members of the enterprise, along with other informa- 

35 tion about each user, for example, whether the user is 
allowed access to legacy servers. The directory access- 
es the user's information stored in the directory, and de- 
termines if the user is allowed access to the legacy serv- 
er. If the user is allowed access to the legacy server, the 

^o VPN extranet gateway establishes a connection between 
the legacy client software resident on the client platform, 
and the legacy application resident on a legacy server 
S6. After the connection is established between the leg- 
acy client software and the legacy application, the legacy 

45 application may further require a user ID and password 
from the user before allowing the user access to the leg- 
acy application. 

[0034] Systems and methods for secure legacy en- 
claves according to the present invention are advanta- 
ge geous in that no software changes to the legacy systems 
are required. Further, greater security is achieved by the 
requirement that someone who seeks access to the leg- 
acy system may have to provide not only a password, 
but also a digital signature certificate to a VPN. 
55 [0035] It is noted that the foregoing examples have 
been provided merely for the purpose of explanation and 
are in no way to be construed as limiting of the present 
invention. While the present invention has been de- 
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scribed with reference to a preferred embodiment, it is 
understood that the words which have been used herein 
are words of description and illustration, rather than 
words of limitation. Changes may be made within the 
purview of the appended claims, as presently stated and 
as amended, without departing from the scope and spirit 
of the present invention in its aspects. Although the 
present invention has been described herein with refer- 
ence to particular methods, materials, and embodiments, 
the present invention is not intended to be limited to the 
particulars disclosed herein, rather, the present invention 
extends to all functionally equivalent structures, methods 
and uses, such as are within the scope of the appended 
claims. 



Claims 

1 . A system (1 00) for a secure legacy enclave in a Pub- 
lic Key Infrastructure (PKI) comprising: 

at least one legacy server (1 1 8), the at least one 
legacy server containing at least one legacy ap- 
plication (120); 

at least one client platform (1 28) operatively con- 
nected to a network, the at least one client plat- 
form containing legacy client software employ- 
able by at least one user to access the at one 
legacy application; 

a directory (108) operably connected to the net- 
work, the directory containing information on the 
at least one user, the directory further containing 
information on each at least one user designat- 
ing whether each at least one user is authorized 
to access the at least one legacy server; and 
a Virtual Private Network (VPN) extranet gate- 
way (142), the VPN extranet gateway operative- 
ly connected between the at least one legacy 
server (118) and the network, the VPN extranet 
gateway requesting a signature certificate of the 
at least one user attempting access to the legacy 
application to authenticate the at least one user, 
the VPN extranet gateway querying the directo- 
ry (108) to confirm the at least one user is al- 
lowed access to the legacy server after authen- 
ticating the at least one user, the VPN extranet 
gateway establishing a connection between the 
legacy client software and the legacy application 
if the at least one user is allowed access to the 
legacy server. 

2. The system according to claim 1 , wherein the direc- 
tory comprises a database. 

3. The system according to claim 1 , further comprising 
a second network, the at least one legacy server 
operatively connected to the second network, the 
VPN extranet gateway operatively connected be- 



tween the second network and the network. 

4. A method for secure legacy enclaves in a Public Key 
Infrastructure (PKI) comprising: 

5 

installing a virtual private network (VPN) extran- 
et gateway between at least one legacy server 
and a legacy client platform (51); 
attempting access to a legacy application on the 
10 at least one legacy server by a user employing 

legacy client software on the legacy client plat- 
form (53); 

requesting a signature certificate of the user by 
the VPN extranet gateway to authenticate the 

is user (54); 

querying a directory by the VPN extranet gate- 
way after authenticating the user to confirm the 
user is allowed access to the at least one legacy 
server (55); and 

20 establishing a connection between the legacy 

client software and the legacy application if the 
user is allowed access to the at least one legacy 
server (56). 

25 5. The method according to claim 4, further comprising 
configuring the VPN extranet gateway with users al- 
lowed access to the at least one legacy server after 
the installing the VPN extranet gateway between the 
at least one legacy server and the legacy client plat- 
30 form. 

6. The method according to claim 4, wherein the direc- 
tory comprises a database. 

35 7. The method according to claim 4, further comprising 
requesting a user ID and password from the user by 
the legacy server after the connection is established 
between the legacy client software and the legacy 
application. 

40 

8. The method according to claim 4, further comprising 
requesting a user ID and password from the user by 
the VPN extranet gateway before the connection is 
established between the legacy client software and 

45 the legacy application. 

9. An article comprising a storage medium having in- 
structions stored therein, the instructions when ex- 
ecuted causing a processing device to perform: 



receiving an attempt to access a legacy appli- 
cation on a legacy server from a user employing 
legacy client software (53) ; 
requesting a signature certificate of the user to 
55 authenticate the user (54) ; 

querying a directory to confirm the user is al- 
lowed access to the legacy server after authen- 
ticating the user (55); and 
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establishing a connection between the legacy 
client software and the legacy application if the 
user is allowed access to the legacy server (56). 

10. The article according to claim 9, further comprising 
requesting a user ID and password from the user 
before the connection is established between the 
legacy client software and the legacy application. 

11. The article according to claim 9, receiving configu- 
ration information regarding users allowed access 
to the at least one legacy server. 



Patentanspruche 

1 . System (1 00) fur eine sichere Legacy-Enklave in ei- 
ner Infrastruktur mit offentlichen Schlusseln (PKI), 
umfassend: 

mindestens einen Legacy-Server (118), wobei 
der mindestens eine Legacy-Server mindestens 
eine Legacy-Anwendung (120) enthalt; 
mindestens eine Client-Plattform (128), die 
funktional mit einem Netzwerk verbunden ist, 
wobei die mindestens eine Client-Plattform eine 
Legacy-Client-Software enthalt, die von minde- 
stens einem Nutzer verwendbar ist, urn auf die 
mindestens eine Legacy-Anwendung zuzugrei- 
fen; 

ein funktional mit dem Netzwerk verbundenes 
Verzeichnis (108), wobei das Verzeichnis eine 
Information uber den mindestens einen Nutzer 
enthalt, wobei das Verzeichnis ferner eine Infor- 
mation uber jeden der mindestens einen Nutzer 
enthalt, die angibt, ob jeder der mindestens ei- 
nen Nutzer berechtigt ist, auf den mindestens 
einen Legacy-Server zuzugreifen; und 
ein Extranet-Gateway (142) fur ein Virtuelles 
Privates Netzwerk (VPN), wobei das VPN-Ex- 
tranet-Gateway funktional zwischen dem min- 
destens einen Legacy-Server (118) und dem 
Netzwerk eingebunden ist, wobei das VPN-Ex- 
tranet-Gateway ein Signaturzertifikat des min- 
destens einen Nutzers anfordert, welcher ver- 
sucht, auf die Legacy-Anwendung zuzugreifen, 
urn den mindestens einen Nutzer zu authentifi- 
zieren, wobei das VPN-Extranet-Gateway das 
Verzeichnis (108) abfragt, urn zu bestatigen, 
dass dem mindestens einen Nutzer nach Au- 
thentifizierung des mindestens einen Nutzers 
einZugriffaufden Legacy-Server erlaubt ist, wo- 
bei das VPN-Extranet-Gateway eine Verbin- 
dung zwischen der Legacy-Client-Software und 
der Legacy-Anwendung herstellt, falls dem min- 
destens einen Nutzer ein Zugriff auf den Legacy- 
Server erlaubt ist. 



2. System nach Anspruch 1 , wobei das Verzeichnis ei- 
ne Datenbank umfasst. 

3. System nach Anspruch 1 , weiterhin umfassend ein 
s zweites Netzwerk, wobei der mindestens eine Lega- 
cy-Server funktional mit dem zweiten Netzwerk ver- 
bunden ist, wobei das VPN-Extranet-Gateway zwi- 
schen dem zweiten Netzwerk und dem Netzwerk 
eingebunden ist. 

10 

4. Verfahren fur sichere Legacy-Enklaven in einer In- 
frastruktur mit offentlichen Schlusseln (PKI), umfas- 
send: 

is Installiereneines Extranet-Gateways fur ein Vir- 

tuelles Privates Netzwerk (VPN) zwischen min- 
destens einem Legacy-Server und einer Lega- 
cy-Client-Plattform (51); 
Versuchen, sich Zugang zu einer Legacy-An- 
20 wendung auf dem mindestens einen Legacy- 

Server zu verschaffen, und zwar durch einen 
Nutzer, der eine Legacy-Client-Software auf der 
Legacy-Client-Plattform verwendet (53); 
Anfordern eines Signaturzertifikats des Nutzers 
25 durch das VPN-Extranet-Gateway, urn den Nut- 

zer zu authentifizieren (54); 
Abfragen eines Verzeichnisses durch das VPN- 
Extranet-Gateway nach Authentifizierung des 
Nutzers, umzu bestatigen, dass dem Nutzer ein 
30 Zugriff aufden mindestens einen Legacy-Server 

erlaubt ist (55); und 

Herstellen einer Verbindung zwischen der Lega- 
cy-Client-Software und der Legacy-Anwen- 
dung, falls dem Nutzer ein Zugriff auf den min- 
35 destens einen Legacy-Server erlaubt ist (56). 

5. Verfahren nach Anspruch 4, weiterhin umfassend 
ein Konfigurieren des VPN-Extranet-Gateways mit 
Nutzern, denen ein Zugriff auf den mindestens einen 

40 Legacy-Server erlaubt ist, nach dem Installieren des 
VPN-Extranet-Gateways zwischen dem mindestens 
einen Legacy-Server und der Legacy-Client-Platt- 
form. 

45 6. Verfahren nach Anspruch 4, wobei das Verzeichnis 
eine Datenbank umfasst. 

7. Verfahren nach Anspruch 4, weiterhin umfassend 
ein Anfordern einer Nutzerkennung und eines Pass- 
so worts von dem Nutzer durch den Legacy-Server 
nachdem die Verbindung zwischen der Legacy-Cli- 
ent-Software und der Legacy-Anwendung herge- 
stellt worden ist. 

55 8. Verfahren nach Anspruch 4, weiterhin umfassend 
ein Anfordern einer Nutzerkennung und eines Pass- 
worts von dem Nutzer durch das VPN-Extranet-Ga- 
teway bevor die Verbindung zwischen der Legacy- 
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Client-Software und der Legacy-Anwendung herge- 
stellt wlrd. 

9. Gegenstand, der ein Speichermedium mit darin ge- 
speicherten Befehlsfolgen umfasst, wobei die Be- 
fehlsfoigen dann, wenn sie ausgefuhrt werden, eine 
Verarbeitungsvorrichtung dazu veranlassen, Fol- 
gendes durchzufuhren: 

Empfangen eines Versuchs von einem eine 
Legacy-Client-Software verwendenden Nutzer, 
auf eine Legacy-Anwendung auf einem Legacy- 
Server zuzugreifen (53); 
Anfordern eines Signaturzertifikats des Nutzers, 
um den Nutzer zu authentifizieren (54); 
Abfragen eines Verzeichnisses nach Authenti- 
fizierung des Nutzers, um zu bestatigen, dass 
dem Nutzer ein Zugriff auf den Legacy-Server 
erlaubt ist (55); und 

Herstellen einer Verbindung zwischen der Lega- 
cy-Client-Software und der Legacy-Anwen- 
dung, falls dem Nutzer ein Zugriff auf den Lega- 
cy-Server erlaubt ist (56). 

10. Gegenstand nach Anspruch 9, ferner umfassend ein 
Anfordern einer Nutzerkennung und eines Pass- 
worts von dem Nutzer bevor die Verbindung zwi- 
schen der Legacy-Client-Software und der Legacy- 
Anwendung hergestellt wird. 

11. Gegenstand nach Anspruch 9, welcher eine Konfi- 
gurationsinformation in Bezug auf Nutzer empfangt, 
denen ein Zugriff auf den mindestens einen Legacy- 
Server erlaubt ist. 



Revendications 

1. Systeme (100) destine a une enclave securisee a 
heritage dans une infrastructure a cle publique (PKI) 
comprenant : 

au moins un serveur a heritage (118), le au 
moins un serveur a heritage contenant une ap- 
plication a heritage (120), 
au moins une plate-forme client ( 1 28) connectee 
fonctionnellement a un reseau, la au moins une 
plate-forme client contenant un logiciel client a 
heritage peut etre employe par au moins un uti- 
lisateur pour acceder a la au moins une appli- 
cation a heritage, 

un repertoire (108) connecte fonctionnellement 
au reseau, le repertoire contenant des informa- 
tions sur le au moins un utilisateur, le repertoire 
contenant en outre des informations sur chaque 
au moins un utilisateur indiquant si au moins un 
utilisateur est autorise a acceder au au moins 
un serveur a heritage, et 



une passerelle (142) de reseau Extranet du type 
reseau prive virtuel (VPN), la passerelle de re- 
seau Extranet (VPN) etant connectee fonction- 
nellement entre le au moins un serveur a heri- 

5 tage (1 18) et le reseau, la passerelle de reseau 

Extranet VPN demandant un certificat de signa- 
ture au au moins un utilisateur tentant d'acceder 
a I'application a heritage pour authentifier le au 
moins un utilisateur, la passerelle de reseau Ex- 

10 tranet VPN interrogeant le repertoire (108) pour 

confirmer que le au moins un utilisateur est auto- 
rise a acceder au serveur a heritage apres avoir 
authentifie le au moins un utilisateur, la passe- 
relle de reseau Extranet VPN etablissant une 

15 connexion entre le logiciel client a heritage et 

I'application a heritage si au moins un utilisateur 
est autorise a acceder au serveur a heritage. 

2. Systeme selon la revendication 1 , dans lequel le re- 
20 pertoire comprend une base de donnees. 

3. Systeme selon la revendication 1 , comprenant en 
outre un second reseau, le au moins un serveur a 
heritage etant connecte fonctionnellement au se- 

25 cond reseau, la passerelle de reseau Extranet VPN 
etant connectee fonctionnellement entre le second 
reseau et le reseau. 

4. Procede destine a des enclaves securisees a heri- 
30 tage dans une infrastructure a cle publique (PKI) 

comprenant les etapes consistant a : 

installer une passerelle de reseau Extranet du 
type reseau prive virtuel (VPN) entre au moins 
35 un serveur a heritage et une plate-forme client 

a heritage (51), 

tenter d'acceder a une application a heritage sur 
le au moins un serveur a heritage par le biais 
d'un utilisateur employant un logiciel client a he- 

40 ritage sur la plate-forme client a heritage (53), 

demander un certificat de signature de I'utilisa- 
teur par le biais de la passerelle de reseau Ex- 
tranet VPN pour authentifier I'utilisateur (54), 
interroger un repertoire par le biais de la passe- 

45 relle de reseau Extranet VPN apres avoir 

authentifie I'utilisateur pour confirmer que I'utili- 
sateur est autorise a acceder au au moins un 
serveur a heritage (55), et 
etablir une connexion entre le logiciel client a 

so heritage et I'application a heritage si I'utilisateur 

est autorise a acceder au au moins un serveur 
a heritage (56). 

5. Procede selon la revendication 4, comprenant en 
55 outre le fait de configurer la passerelle de reseau 

Extranet VPN avec des utilisateurs autorises a ac- 
ceder au au moins un serveur a heritage apres ('ins- 
tallation de la passerelle de reseau Extranet VPN 
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entre le au moins un serveur a heritage et la plate- 
forme client a heritage. 

6. Procede selon la revendication 4, dans lequel le re- 
pertoire comprend une base de donnees. 5 

7. Procede selon la revendication 4, comprenant en 
outre le fait de faire demander un identificateur d'uti- 
lisateur et un mot de passe a I'utilisateur par le ser- 
veur a heritage apres que la connexion est etablie 10 
entre le logiciel client a heritage et ('application a 
heritage. 

8. Procede selon la revendication 4, comprenant en 
outre le fait de faire demander un identificateur d'uti- is 
lisateur et un mot de passe de I'utilisateur par la pas- 
serelle de reseau Extranet VPN avant que la con- 
nexion ne soit etablie entre le logiciel client a heritage 

et I'application a heritage. 

20 

9. Article comprenant un support de memorisation 
ayant des instructions memorisees dans celui-ci, les 
instructions, lorsqu'elles sont executees, amenant 
un dispositif de traitement a executer les etapes con- 



recevoir une tentative d'acces a une application 
a heritage sur un serveur a heritage provenant 
d'un utilisateuremployantun logiciel client a he- 
ritage (53), 

demander un certificat de signature de I'utilisa- 
teur pour authentifier I'utilisateur (54), 
interroger un repertoire pour confirmer que I'uti- 
lisateur est autorise a acceder au serveur a he- 
ritage apres avoir authentifie I'utilisateur (55), et 
etablir une connexion entre le logiciel client a 
heritage et I'application a heritage si I'utilisateur 
est autorise a acceder au serveur a heritage 
(56). 

10. Article selon la revendication 9, comprenant en outre 
le fait de demander un identificateur et un mot de 
passe de I'utilisateur avant que la connexion ne soit 
etablie entre le logiciel client a heritage et I'applica- 
tion a heritage. 

1 1 . Article selon la revendication 9, recevant des infor- 
mations de configuration concernant les utilisateurs 
qui sont autorises a acceder au au moins un serveur 
a heritage. 
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